http: avoid out of bound accesses on broken Set-Cookie headers

It's trivial to craft a HTTP response that will make the code for skipping trailing whitespace access and possibly overwrite bytes outside of the memory allocation. Why this can happen is blindingly obvious: it accesses cstr[strlen(cstr)-1] without checking whether the string is empty.
author: wm4 <nfxjfg@googlemail.com> 2018-03-08 04:47:40 +0100
committer: wm4 <nfxjfg@googlemail.com> 2018-03-18 12:36:24 +0100
commit: c0687acbf6094053834af6a20e9d71b455842c8c (patch)
tree: cbb1929fa71ff08beee62cfd617fd0574bfd83e3 /libavformat/http.c
parent: 39c1d170a3474a06f4805589d642f605f7ef1436 (diff)
download: ffmpeg-c0687acbf6094053834af6a20e9d71b455842c8c.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavformat/http.c b/libavformat/http.c
index d7a72e7129..59f90ac603 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -750,6 +750,9 @@ static int parse_set_cookie(const char *set_cookie, AVDictionary **dict)
 {
     char *param, *next_param, *cstr, *back;
 
+    if (!set_cookie[0])
+        return 0;
+
     if (!(cstr = av_strdup(set_cookie)))
         return AVERROR(EINVAL);
author	wm4 <nfxjfg@googlemail.com>	2018-03-08 04:47:40 +0100
committer	wm4 <nfxjfg@googlemail.com>	2018-03-18 12:36:24 +0100
commit	c0687acbf6094053834af6a20e9d71b455842c8c (patch)
tree	cbb1929fa71ff08beee62cfd617fd0574bfd83e3 /libavformat/http.c
parent	39c1d170a3474a06f4805589d642f605f7ef1436 (diff)
download	ffmpeg-c0687acbf6094053834af6a20e9d71b455842c8c.tar.gz